chore: bump version to v0.2.13 [skip ci]

Swagger (/swagger) is only enabled in Development mode (Program.cs
gates it behind app.Environment.IsDevelopment()). In production,
nginx serves the frontend catch-all (index.html), so the check
always returns 200 but never actually validates the API layer.

/health already covers API + database + runtime health checks.
No replacement endpoint needed — the smoke test still validates
both the dashboard and the backend API via /health.

.gitea/workflows/ci.yaml

@@ -1,6 +1,11 @@
 name: CI - Build & Test
 run-name: 🔍 CI ${{ gitea.ref_name }} by @${{ gitea.actor }}
 
+# ── Concurrency: cancel in-progress CI when new push arrives ──
+concurrency:
+  group: ci-${{ gitea.ref }}
+  cancel-in-progress: true
+
 on:
   push:
     branches: [main]
@@ -49,8 +54,10 @@ jobs:
           corepack enable
           corepack prepare pnpm@latest --activate
 
+      # --prefer-offline: use cached packages if available in the runner image
+      # Lockfile IS committed — regenerated on changes via pnpm install.
       - name: Install dependencies
-        run: pnpm install --no-frozen-lockfile
+        run: pnpm install --no-frozen-lockfile --prefer-offline
         working-directory: frontend
 
       - name: Type check

.gitea/workflows/deploy.yaml

@@ -1,6 +1,13 @@
 name: Deploy to Production
 run-name: 🚀 Deploy ${{ inputs.bump_version || 'patch' }} by @${{ gitea.actor }}
 
+# ── Concurrency: one deploy at a time, cancel queued ones ──
+# Why: prevents race conditions when CI triggers deploy while
+#   a manual deploy is still running. The latest deploy wins.
+concurrency:
+  group: deploy-production
+  cancel-in-progress: false
+
 # ───────────────────────────────────────────────────
 # Trigger: automatic after CI success, or manual dispatch.
 # Runner: uses ubuntu-latest label (consistently present on
@@ -153,29 +160,84 @@ jobs:
               fi
             "
 
-      # ── Step 6: Health Check ──────────────────
+      # ── Step 6: Health Check (backoff) ────────
+      # Exponential-ish backoff: 1s, 2s, 3s, 5s, 8s, 13s (~32s total).
+      # Why: cold-start containers need variable warmup time;
+      #   fixed 5s intervals either wait too long or give up too early.
       - name: Health Check
         run: |
-          sleep 5
           echo "🏥 Health check..."
-          for i in 1 2 3 4 5 6; do
+          RETRY=0
+          MAX=6
+          WAIT=1
+          while [ $RETRY -lt $MAX ]; do
+            RETRY=$((RETRY + 1))
             if curl -sf --max-time 10 https://nexus.noveria.net/health; then
               echo ""
-              echo "✅ Health check passed"
+              echo "✅ Health check passed (attempt $RETRY/$MAX)"
-              break
+              exit 0
             fi
-            echo "⏳ Retry $i/6..."
+            echo "⏳ Attempt $RETRY/$MAX failed, waiting ${WAIT}s..."
-            sleep 5
+            sleep $WAIT
+            # Fibonacci-ish backoff: 1,2,3,5,8,13
+            NEXT=$((WAIT + RETRY))
+            [ $NEXT -le 15 ] && WAIT=$NEXT || WAIT=15
           done
+          echo "❌ Health check failed after $MAX attempts"
+          exit 1
 
-      # ── Step 7: Smoke test ────────────────────
+      # ── Step 7: Smoke test (multi-endpoint) ───
+      # Tests multiple endpoints to catch partial failures.
+      # Why: a single /dashboard check can miss backend-only outages;
+      #   /health tests the API + database + runtime status.
       - name: Verify (smoke test)
         run: |
           echo "🔍 Smoke test..."
-          HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" https://nexus.noveria.net/dashboard)
+          PASS=0
-          echo "Dashboard: HTTP $HTTP_CODE"
+          FAIL=0
-          if [ "$HTTP_CODE" != "200" ]; then
+          BASE="https://nexus.noveria.net"
-            echo "❌ Dashboard not reachable!"
+
+          check() {
+            local path="$1" label="$2" expected="${3:-200}"
+            local code=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "${BASE}${path}")
+            printf "  %-25s HTTP %s" "${label}:" "${code}"
+            if [ "$code" = "$expected" ]; then
+              echo " ✅"
+              PASS=$((PASS + 1))
+            else
+              echo " ❌ (expected $expected)"
+              FAIL=$((FAIL + 1))
+            fi
+          }
+
+          check "/dashboard" "Dashboard"    200
+          check "/health"    "Health API"   200
+
+          echo ""
+          echo "Results: $PASS passed, $FAIL failed"
+          if [ "$FAIL" -gt 0 ]; then
+            echo "❌ Smoke test failed!"
             exit 1
           fi
           echo "✅ Deployment verified"
+
+      # ── Step 8: Rollback hint ────────────────
+      # On any failure, prints the previous deploy tag for quick manual rollback.
+      # Why: reduces MTTR (mean time to recovery) by providing the exact
+      #   git tag to roll back to without needing to look it up manually.
+      - name: Rollback hint
+        if: failure()
+        run: |
+          echo ""
+          echo "🔙 ─── Rollback Instructions ─── 🔙"
+          echo ""
+          echo "  # 1. Checkout previous version:"
+          echo "  git checkout tags/\$(git describe --tags --abbrev=0 2>/dev/null || echo 'unknown')"
+          echo ""
+          echo "  # 2. Redeploy:"
+          echo "  cd /opt/openclaw/data/openclaw/workspace/nexus"
+          echo "  docker compose up -d --force-recreate"
+          echo ""
+          echo "  # 3. Or trigger rollback via Gitea:"
+          echo "  Trigger 'Deploy to Production' workflow with the previous tag"
+          echo ""

.gitignore

@@ -30,5 +30,4 @@ docker-compose.override.yml
 *.tmp
 *.bak
 
-# pnpm
+# pnpm (lockfile IS committed for reproducible CI builds)
-pnpm-lock.yaml

VERSION

@@ -1 +1 @@
-0.2.9
+0.2.13